Tuesday, April 19, 2011

For your safety Port 139 should be closed

Although those two ports are well known for security reason for a long time, we still hope to know something in details. As we know, NFS (Netwrok File Systems) is developed by Sun. It’s mainly for sharing directories and files between UNIX machines. Microsoft invented a protocol called SMB (Sever Message Blocks), by which, people can share directories and files with other Windows machines. Microsoft is trying to rename SMB-based networking to “Windows Networking” and the protocol to “CIFS”. When we try to mount SAMBA server directory to our Linux machine, we most likely do the following command.

Microsoft open a security hole to many people who haven’t set up Administrator’s password. In the early time, people can easily share others C:\WINDOWS directory:

\\172.17.93.105\ADMIN$

Even with password, malicious people still can figure out by port 139 and 445. This article is not for how to hack others by port 139 and 445. We will see how SMB and NETBIOS work.
SMB is the most popular protocols for Windows PCs lets us share files, disks, directories, printers, and (in some cases) even COM ports across a network. SMB-based networks use a variety of underlying protocols, but the most popular are “NetBIOS over TCP/IP”.
Here is a solid example. SMB-client (Hacker) send TCP 445 SYN to SMB-server (Victim). Without waiting for SYN/ACK package, it sends TCP 139 SYN to SMB-server immediately. TCP 445 is to set up SMB session and TCP 139 is to set up NETBIOS session. SMB need NETBIOS protocol. We can see from screen shot that, after TCP 139 and TCP 445 session is up, SMB protocol start to run. From package hierarchy we can see, SMB is over NETBIOS protocol.

After Microsoft noticed this security issue, TCP 139 and 445 is blocked by default. Thus, SMB-server never reply SYN package if the firewall is on. We can use NMAP to do a test.
Firewall is off.